Help!!! I can't get to any websites on my IE. Everything keeps getting directed to this http:// 296f8.iltxt.info /index.php?aid=543 site, with a pop up saying that 18% of my files are corrupted with spyware. I need to be able to get to my email and other websites in a hurry for work........can anyone help me remove this virus?

Thanks!


Edit: Link has been altered so that it can't be accidentally clicked on. It leads to a nasty 'Web search' site which plays games with your brower. Don't go there please! - Catweazle

If you haven't done so already, download Adaware and Spybot and scan your computer, rebooting between each, and let them fix anything they find. You can download them from here:

http://www.computercops.biz/zx/phoenix22/spybotsd13.zip
http://www.computercops.biz/downloads-file-292.html

After that, download and scan your computer with HijackThis. Be sure you update it to the latest version, which is 1.98.2. Scan your computer and post the log here. One of the security experts will take a look at it and advise you on fixing your computer. I don't have a link for HijackThis right offhand, but if you check in one of the other threads, more than likely there will be a link to it within a thread or in someone's sig. Good luck!

Here's a link for hijackthis:
http://www.softpedia.com/progDownloa...load-5034.html

"...I need to be able to get to my email and other websites in a hurry for work..."

You may need to find an alternate means of doing this as fixing your problem may take a few days.

OK, I scanned with adaware and spybot, and so here is the log from the HJT scan:

Logfile of HijackThis v1.98.2
Scan saved at 8:21:14 PM, on 9/22/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\X5S9IMYIOYF3HN.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost; *windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com; *profiles.yahoo.com;*.pogo.com;*test-speed.com;<local>
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\7OSOSG~1.DLL
O4 - HKLM\..\RunOnce: [untd_recovery] C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\X5S9IMYIOYF3HN.EXE
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/227
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/228

Is there a name for this virus? I can't seem to figure out what it's called. What next?

Thanks for the speedy reply, by the way!

Heather

First, try these free online scans (set them to fix whatever they find):
http://housecall.trendmicro.com/
http://www.pandasoftware.com/actives..._principal.htm

Also, download CWShredder and run it. Select the fix button & it will fix everything related to CoolWebSearch that is stored in it's database. Close ALL windows before running CWShredder.
http://www.softpedia.com/progDownloa...load-8114.html

Reboot, scan with hjt and post a new log.

Before you post a new log, have hjt fix these entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost; *windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com; *profiles.yahoo.com;*.pogo.com;*test-speed.com;<local>

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\7OSOSG~1.DLL

O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\X5S9IMYIOYF3HN.EXE

Reboot into Safe Mode, go to the folder C:\WINDOWS\SYSTEM and delete this file:
X5S9IMYIOYF3HN.EXE

Reboot normally, scan with hjt, and now post a new log.
(Thank crunchie for this last bit, and thanks to Catweazle for editing the link in the original post.)

Hi, here is the new log after doing all that was asked of you guys.....except the panda scan....since it opens in a new window, the window flips back to the wierd index page I'm having problems with. Otherwise, everything else was done. Here's the log:

Logfile of HijackThis v1.98.2
Scan saved at 11:18:42 AM, on 9/23/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS1.98.2\HIJACKTHIS.EXE

O4 - HKLM\..\RunOnce: [untd_recovery] C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/227
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/228
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

What next? Thanks for all your help here!!!!

have you rebooted before posting that log? it looks kinda thin on the ground...

I thought I rebooted, but maybe not....I rebooted again and here is the log.

Logfile of HijackThis v1.98.2
Scan saved at 11:46:22 AM, on 9/23/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\UNZIPPED\HIJACKTHIS1.98.2\HIJACKTHIS.EXE

O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/227
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/228
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

I also have noticed when I reboot, not everything loads (when I look at the task manager). I went into msconfig and notice it keeps defaulting to selective startup, rather than normal start up. I keep changing it back to normal, but it keeps defaulting to selective. Maybe that has something to do with the log not looking right. Is this a result of the virus?

Thanks!

Your log looks clean, I'm not sure how to fix your internet access problem. You could try installing SpywareBlaster, maybe it will block access to that site. You can download it from here:
http://www.javacoolsoftware.com/

Your startup problem certainly needs to be fixed, hopefully someone here can help you with that; I'm afraid I can't.